Network Data Leadership

8/18/2019 Network Data Leadership

1/24

Commitment to Cybersecurity and Information Technology Governance: A Case Study

and Leadership Model

by

Scipiaruth Kendall Curtis

A Dissertation Presented in Partial Fulfillment

of the Requirements for the Degree

Doctor of Management of Information Systems Technology

UNIVERSITY OF PHOENIX

May 2012


2/24

All rights reserved

INFORMATION TO ALL USERSThe quality of this reproduction is dependent upon the quality of the copy submitted.

In the unlikely event that the author did not send a complete manuscriptand there are missing pages, these will be noted. Also, if material had to be removed,

a note will indicate the deletion.

Microform Edition © ProQuest LLC. All rights reserved. This work is protected against

unauthorized copying under Title 17, United States Code

ProQuest LLC.789 East Eisenhower Parkway

P.O. Box 1346

Ann Arbor, MI 48106 - 1346

UMI 3569139

Published by ProQuest LLC (2013). Copyright in the Dissertation held by the Author.

UMI Number: 3569139


3/24

© 2012 by Scipiaruth Kendall Curtis

ALL RIGHTS RESERVED


4/24


5/24

Abstract

The continual emergence of technologies has infiltrated government and industry

business infrastructures, requiring reforming organizations and fragile network

infrastructures. Emerging technologies necessitates countermeasures, commitment to

cybersecurity and information technology governance for organization‘s survivability and

sustainability. The purpose of the qualitative exploratory case study was to analyze the

critical inclusion of information assurance professionals in the organization‘s strategic

plan by senior leadership to advance the integration of cybersecurity and information

technology governance, resulting in diminishing network vulnerabilities. Interviews

were conducted with 10 information assurance professionals and 10 supervisors of

information assurance professionals from March Air Reserve Base, California. The

findings generated six themes with meaningful interdependencies between information

technology organization, information technology governance, cybersecurity, network

management, security management, and senior leadership involvement. Results of the

study concluded government organizations need a National Defense Cybersecurity

Strategy (NDCS) to pr otect the nation‘s interest. The NDCS would establish

meaningfulness to the interdependency relationship between senior leadership and the IT

organization in government organizations. The NDCS would establish meaningful

interdependent relationships between the organizations‘ strategic planning and

information assurance professionals‘ expertise in cybersecurity and IT governance.

Recommendation to leadership was to develop and deploy NDCS to federal organizations

to assist in contributing to transferability, and recruitment and retention of IA

professionals to provide standardization, controls, and to increase the body of knowledge.


6/24

iv

Dedication

I dedicate this study to my loving husband Kelly, my chef, and true love. Your

sage advice, endless patience, and continual encouragement to persevere made it easy for

me to complete my doctoral journey. I would never forget the many long nights that you

kept me entertained, so that I could make my doctoral class deadlines and the many

vacations, bike rides, golfing, and tennis events that you sacrificed because you wanted

me there as your wife and partner. To my parents — my mother, who gave me the guiding

light, and my first leadership course on developing my own footsteps. To my father, who

I did not have the pleasure of knowing, but very much aware that he was responsible for

my creativity and analytical mindset that I use on a daily basis, ultimately the foundation

for my doctoral map. To Michele, my confidante and tennis doubles partner, whose

creativity and innovativeness provided the vehicle to transcend many writing challenges

presented during the doctoral journey into mental keenness on and off the court. To the

almighty spirit — God, who gave me the mental, physical, and spiritual strength, the will

to find meaningfulness, and most of all to remember that will provides a way to succeed.


7/24

v

Acknowledgments

Many senior leaders, colleagues, peers, and friends supported my doctoral

journey. Every encounter provided a unique relationship that will always add special

meaning and value in my travels. My sincerest and heart-felt words of thank you will

forever remain at the forefront of my memories. To Dr. Linda de Charon, my dissertation

chair, Dr. C. Augusto Casas and Dr. Melissa Holmberg, my committee members, for

your continual focus, astute recommendations, and steadfast reinforcement to stay on the

doctoral course. To my University of Phoenix cohorts, who provided unwavering

dedication, best practices, and lessons learned particularly difficult in distance learning

doctoral courses. To the men and women at March Air Reserve Base, especially the

information technology organization, that supported this research study with confidence

and professionalism. Special thanks to Brig Gen Udo ―Karl‖ McGregor without his

permission and support, this research study would not have been possible.


8/24

vi

Disclaimer

The views presented in this dissertation are those of the author or the research

participants and do not necessarily represent the views of the Department of Defense or

its Components or any U.S. government department or agency.


9/24

vii

Table of Contents

Chapter 1: Introduction .............................................................................................. 1

Background of the Problem ....................................................................................... 3

Statement of the Problem ........................................................................................... 8

Purpose of the Study .................................................................................................. 9

Significance of the Study ......................................................................................... 13

Importance of the Study to Leadership .................................................................... 15

Nature of the Study .................................................................................................. 16

Overview of the research method. .................................................................... 19

Overview of the design appropriateness. .......................................................... 21

Research Questions .................................................................................................. 25

Theoretical Framework ............................................................................................ 28

Organizational competition ...................................................................................... 29

Organizational competencies. ........................................................................... 30

Organizational change ............................................................................................. 31

Organizational emotional intelligence. .................................................................... 32

Organizational risk. ........................................................................................... 33

Organizational cybersecurity and IT governance ............................................. 34

IT organization and organizational change. ...................................................... 36

Definition of Terms.................................................................................................. 36

Assumptions ............................................................................................................. 40

Scope and Limitations.............................................................................................. 41

Delimitations ............................................................................................................ 45


10/24

viii

Summary .................................................................................................................. 46

Chapter 2: Review of the Literature ......................................................................... 49

Title Searches, Articles, Research Documents, and Journals .................................. 49

Historical overview. ................................................................................................. 51

Organizational communication. ........................................................................ 52

Organizational discourse. ................................................................................. 52

Organizational change. ..................................................................................... 53

Organizational adaptability. .............................................................................. 55

Lifetime learning. ............................................................................................. 55

Knowledge management. ................................................................................. 56

Emerging technologies. .................................................................................... 58

Organizational structure. ................................................................................... 58

Organizational conflict. .................................................................................... 59

Organizational survivability. ............................................................................ 60

Organizational culture. ..................................................................................... 62

Organizational strategies. ................................................................................. 63

Organizational resources. ................................................................................. 64

Leadership theory. ............................................................................................ 65

Organizational leadership. ................................................................................ 66

Executive leadership. ........................................................................................ 67

Decision-making. .............................................................................................. 68

Emotional intelligence. ..................................................................................... 68

Management and information. .......................................................................... 69


11/24

ix

Organizational performance. ............................................................................ 70

Organizational management. ............................................................................ 71

Strategic management. ...................................................................................... 72

Innovation. ........................................................................................................ 73

Globalization of information technologies. ...................................................... 73

Information technology environment. .............................................................. 74

Security, certification, and accreditation. ......................................................... 74

IT governance ................................................................................................... 76

Cybersecurity. ................................................................................................... 76

Current Findings ...................................................................................................... 78

Organizational communication. ........................................................................ 79

Organizational discourse. ................................................................................. 80

Organizational design. ...................................................................................... 81

Organizational adaptability. .............................................................................. 82

Organizational change. ..................................................................................... 83

Lifetime learning. ............................................................................................. 83

Knowledge management. ................................................................................. 85

Emerging technologies. .................................................................................... 85

Organizational structure. ................................................................................... 86

Organizational conflict. .................................................................................... 87

Organizational survivability. ............................................................................ 87

Organizational culture. ..................................................................................... 88

Organizational strategies. ................................................................................. 89


12/24

x

Organizational resources. ................................................................................. 90

Leadership. ........................................................................................................ 91

Organizational leadership. ................................................................................ 92

Executive leadership. ........................................................................................ 92

Decision making. .............................................................................................. 93

Emotional intelligence. ..................................................................................... 94

Management and information technology. ....................................................... 95

Organizational performance. ............................................................................ 96

Organizational management. ............................................................................ 98

Strategic management. ...................................................................................... 99

Innovation. ...................................................................................................... 100

Globalization and information technology. .................................................... 102

Information technology environment. ............................................................ 103

Security, certification, and accreditation. ....................................................... 105

IT governance. ................................................................................................ 106

Cybersecurity. ................................................................................................. 107

Risk management. ........................................................................................... 108

Conclusions ............................................................................................................ 109

Summary ................................................................................................................ 110

Chapter 3: Method ................................................................................................. 113

Research Method ................................................................................................... 114

Design Appropriateness ......................................................................................... 115

Research Questions ................................................................................................ 117


13/24

xi

Population .............................................................................................................. 119

Sampling Frame ..................................................................................................... 121

Informed Consent................................................................................................... 123

Confidentiality ....................................................................................................... 125

Geographic Location .............................................................................................. 127

Data Collection ...................................................................................................... 127

Instrumentation ...................................................................................................... 130

Validity .................................................................................................................. 132

Expert panel. ................................................................................................... 133

Internal validity ............................................................................................... 134

External validity. ............................................................................................. 135

Data Analysis ......................................................................................................... 137

Summary ................................................................................................................ 141

Chapter 4: Analysis and Results ............................................................................ 143

Expert Panel ........................................................................................................... 144

Demographics ........................................................................................................ 144

Data Collection ...................................................................................................... 150

Data Analysis ......................................................................................................... 152

Interview Questions Asked and Relevant Responses ............................................ 155

Information Assurance Professionals (IAPs) Interview Questions ........... 156

Supervisors of Information Assurance Professionals (SIAPs) Interview

Questions................................................................................................................ 163

Emerging Themes Results ..................................................................................... 169


14/24

xii

Research Question Findings .................................................................................. 181

Summary ................................................................................................................ 183

Chapter 5: Conclusions and Recommendations .................................................... 186

Implication of Research Question Findings ........................................................... 188

Implications of the themes ..................................................................................... 193

Limitations ............................................................................................................. 210

Recommendations for Action ................................................................................ 214

Recommendations for Further Research ................................................................ 219

Chapter 5 Summary ............................................................................................... 221

References .............................................................................................................. 227

Appendix A: Summary of Literature Searched by Category ................................. 293

Appendix B: Permission to Use Premises ............................................................. 294

Appendix C: Informed Consent and Withdrawal Procedure ................................. 295

Appendix D: Information Assurance, Cybersecurity, and IT Governance – IA

Professionals‘ Questionnaire ................................................................................. 297

Appendix E: Information Assurance, Cybersecurity, and IT Governance

Supervisors‘ Questionnaire .................................................................................... 298

Appendix F: The Expert Panel Communiqué ........................................................ 299

Appendix G: IT Organization – Emerging Nodes ................................................. 300

Appendix H: IT Organization – Emerging Responses .......................................... 301

Appendix I: IT Governance – Emerging Nodes .................................................... 302

Appendix J: IT Governance – Emerging Responses ............................................. 303

Appendix K: Security Management – Emerging Nodes ....................................... 304


15/24

xiii

Appendix L: Security Management – Emerging Responses ................................. 305

Appendix M: Cybersecurity Emerging Nodes ....................................................... 306

Appendix N: Cybersecurity – Emerging Responses .............................................. 307

Appendix O: Network Management – Emerging Nodes ....................................... 308

Appendix P: Network Management – Emerging Responses ................................. 309

Appendix Q: Senior Leadership Involvement – Emerging Nodes ........................ 310

Appendix R: Senior Leadership Involvement – Emerging Responses .................. 311

Appendix S: Emerging Response Themes Populated from Significant Frequency

Word Search Criteria ............................................................................................. 312

Appendix T: Emerging Themes Comparison with Germinal (Historical) and

Current Literature................................................................................................... 313


16/24

1

Chapter 1: Introduction

The continual emergence of technologies in the 21st century indirectly influences

cyberattacks and postures the federal government to develop countermeasures by

establishing partnerships with organizations in the public and private sectors to combat

network intrusions (Hare, 2009). In December 2008, the Cyberspace for the 44th

Presidency Report identified cybersecurity as an essential strategic national security issue

that challenges on a global enterprise scale, beckons public diplomacy practitioners, and

academics to analyze the economic influence (Baker, 2009). Emerging technologies

increase the number of cyberattacks on information networks, which may result in data

transfer vulnerabilities and data communication infiltration of enterprise networks

(Holstein, 2009). The globalization of information technologies might require the federal

government to develop cybersecurity strategies to enforce information assurance (IA)

policies and support metrics (Vaughn, Henning, & Siraj, 2010) to increase information

technology (IT) governance to protect the dissemination of information (Wilshusen,

2010a). Chabinsky (2010) emphasized cybersecurity is a process requiring continual

assessments of technical, policy, resources, and uncertainties.

A commitment by senior leadership to plan strategically the evolutionary

strategies for security policies to ensure standards protect organizational information may

provide the blueprint for effective network design (Hite, 2006), and sound

countermeasures to defend the network enterprise infrastructure (Alam & Bokhari, 2007).

The federal government is the largest employer in the United States, but the private

organizational sector has approximately 85% of the nation‘s critical network

infrastructure (Rhodes & Willemssen, 2004). Cybersecurity is a defensive


17/24

2

countermeasure against network vulnerabilities (Matisziw, Murray, & Grubesic, 2009).

Organizations investing in information assurance (IA) ensure the protection of critical

information (Ezingeard, McFadzean, & Birchall, 2007) and IT governance might provide

organizations countermeasures against cyberattacks (Chanda, 2008).

In Chapter 1, the focus of discussion provided the overview for this case research

study--background of the problem, problem statement, purpose, significance of the study,

importance of the study to leadership, nature of the study, research questions, theoretical

framework, definition of terms, assumptions, scope and limitations, and delimitations.

Chapter 1 continued with an outlay of how emerging technologies influenced

organizational strategies (VonKortzfleisch, 2003), cybersecurity (Harknett & Stever,

2009; Paladino & Fingerman, 2009; Zhu, 2009), including organizational commitment

(Ramamurthy, Premkumar, & Crum, 1999) to IA (Vaugh et al., 2010) and IT governance

(Iliescu, 2010; see also Wallace & Webber, 2007, 2010; Weill & Ross, 2004; Wood,

2005). Additionally, in Chapter 1 insight to decision theories (Cavusoglu, Raghunathan,

& Yue, 2008; Clemmons, 2008; Yajiong, Huigang, & Boulton, 2008) incorporated IA

professionals as critical elements in developing cybersecurity strategies to counter

network vulnerabilities formed the research study foundation. In summary, Chapter 1

focused on how March Air Reserve Base leaders may capitalize by using IA

professionals‘ expertise to diminish network vulnerabilities through cybersecurity

strategies and IT governance, thereby adding to the body of research literature,

leadership, and practice.


18/24

3

Background of the Problem

Network infrastructure vulnerabilities may escalate over time (Matisziw et al.,

2009) as technology evolves. The continual emergence of technologies has infiltrated

government and industry business infrastructures, resulting in reforming organizations

and fragile network infrastructures. The outcome from network vulnerabilities is the

potential debilitating aftermath occurring to national security, economic security, public

health, and safety may combine to precipitate global inoperability of the nation‘s

communication system, affecting government, private, and public agencies (Moteff,

2010). Data security is the number-one issue as highly personal data and fiscal records

are lost through theft (Trope, Power, Polley, & Morley, 2007). Bartlett and Smith (2008)

described the importance of data security to lower organizational risk by eliminating data

breaches, ―…first quarter of 2008, there were 167 data breaches reported, compromising

more than 8.3 million personal and financial records‖ (p. 34).

The U.S. established compliance policies for information assurance professionals

to have certification and accreditation and for the remaining workforce to receive

information assurance training (U.S. Department of the Air Force, 2008; 2010). In

January 2008, the Bush Administration identified cybersecurity as the critical entity for

national security and economic stability in the Comprehensive National Cybersecurity

Initiative (CNCI) (Rollins & Henning, 2009). CNCI includes defensive and offensive

cybersecurity strategies to deny adversaries network access and reduce network

vulnerabilities (Rollins & Henning, 2009). Sheldon and Vishik (2010) described CNCI

as a multidisciplinary approach for solving difficult cybersecurity threats (Raduege Jr.,


19/24

4

2009) through initiatives to control scalability and to establish trustworthy processes for

organizations using hardware, software, data, and networks for information.

Cybersecurity threats to organizational infrastructures come in a variety of forms,

such as organization insiders, terrorists, software (malware), hackers, and criminal groups

(Langevin, 2008). IA professionals frequently must attend technology events, participate

in cyber exercises, and enroll in cyber courses to hone skill level and to remain informed

of the latest cyber threats. IA professionals may assist organizational leadership in

configuring security policy elements, doctrine, and other security resources necessary in

the organization‘s strategic plan to defend the organization‘s critical infrastructure

(Brechbuhl, Bruce, Dynes, & Johnson, 2010). The National Science and Technology

Council develop cost strategies for implementing cybersecurity solutions (Sternstein,

2006). Cybersecurity is a collective agreement occurring immediately through the

Internet as a boundaryless network-sharing cyberspace (Greenwald, 2010), therefore,

underlining security as a global concern (Brechbuhl et al., 2010).

The subcommittees of the National Science and Technology Council (NSTC)

recognize information assurance as a critical resource in defending the nation‘s security,

and through organizational commitment with private and public interorganizational

partnerships may assist in achieving government compliance in cybersecurity (Wilshusen

& Rhodes, 2006). The evolution of interorganizational relationships remains challenging

as the globalization of markets increases the need for interorganizational IT governance

(Wood, 2005). IT governance as an internal organizational process governs internal

security policies to provide the necessary access to information (Sambamurthy & Zmud,

1999). The alliance of international organizational relationships drives the creation of


20/24

5

partnerships, resulting in new security policies under the disguise for interorganizational

IT governance (Croteau & Bergeron, 2009). Organizational leadership‘s commitment to

a strategic plan might require refocusing to incorporate IA at various organizational

levels as organizations use technology for global business expansion (Tiwana &

Konsynski, 2010).

The U.S. Air Force as a rational organization must have countermeasures for the

increasing emerging technologies and challenging the organization‘s network

infrastructure (Young, 2010). The Air Force strategic decision makers sought to control

the impact of emerging technologies on the organization‘s infrastructure and architectur e

by reengineering the U.S. Strategic Command and include the U.S. Cyber Command as a

subordinate organization (U.S. Department of Defense [DoD], 2009). The U.S. Cyber

Command (USCYBERCOM) established the foundation for implementing the

cybersecurity doctrine on DoD network infrastructure but deficient in the application and

resources to implement as a global cybersecurity strategy (Andrues, 2010).

The Air Force Reserve Command (AFRC) as a Major Command (MAJCOM) has

the same mission as Headquarters Air Force (HAF), which is to maintain superiority in

air, space, and cyberspace (U.S. Air Force Reserve, 2010). March Air Reserve Base

(MARB) operates as a wing organization, as such the strategic plan links to a higher-level

organization known as the Numbered Air Force (NAF), which supports AFRC, and HAF

(U.S. Air Force, 2009). The U.S. would seek command and control as a rational

organization by instituting information security, information assurance, and information

awareness to institute critical value toward cybersecurity. Brechbuhl et al. (2010) defined

cybersecurity as a collective concern whereby the government must depend on the private


21/24

6

sector to manage the cybersecurity risk along with the information communication

technologies (ICTs) infrastructure administration. The federal government recognizes the

course of action is to inform the public concerning cybersecurity and has initiated

partnerships with public-and-private sectors, and international industries for critical

alliance (Obama, 2011).

MARBs cybersecurity strategic plan require stakeholders‘ responsible at all

organizational levels, external commitment through cooperative partnerships, and internal

commitment of functional organizations to support the network infrastructure. The

MARB network enterprise supports approximately 5,000 personnel (reservists, civil

service, and contractors) and 29 tenant organizations (March Air Reserve Base Strategic

Plan, 2009). MARB personnel establish business-to-business (B2B) partnerships to

increase functional interdependencies and to compete for shrinking resources (Buhman,

Kekre, & Singhal, 2005). The B2B partnerships provide increased opportunity to

coordinate, collaborate, and communicate with industry and other government agencies.

New interdependent partnerships assist to counterbalance external forces‘ requirements

during organizational changes such as government regulations, the economy, and

information communication technologies (Morris, 2009). Technological advances and

data reliability drives the evolution of business-to-customer (B2C) and B2B relationships,

particularly as partnerships flourish to maintain a competitive edge (Vijayaraman &

Bhatia, 2002).

Secure information retrieval requires network security as a primary role in the

strategic plan and in software management (Knowles, 1999). As information and

intelligent information converts into knowledge, an organization may advance as a


22/24

7

competitor. Broadbent and Kitzis (2004) described legislation would increase to control

information security through an organization‘s compliance mechanisms, the passage of

liabilities onto the organization, and in some cases criminal liability for the misuse or loss

of corporate data. Buszta (2008) expressed organizational leaders must strategically plan

to incorporate certification and accreditation cybersecurity components to ensure the

organization remains in compliance and does not contradict federal government

regulations.

Organizational leaders must reassess continually outcomes from legislative

initiatives such as Federal Information Security Management Act (FISMA), the

Paperwork Reduction Act of 1995, and the Information Technology Management Reform

Act of 1996 (also known as the Clinger-Cohen Act) for compliance (Buszta, 2008).

Organizations must adopt new paradigms to interface with the new compliance

mechanisms, risk assessment, and security assurance (Tashi, 2009). A hidden pivotal

chasm unknown to organizational leaders induces network vulnerabilities when the

organization‘s acquisition technologies seek ROI for the organization. IA professionals‘

continually adjust protocols for just-in-time fixes or patch management strategies to

secure the network infrastructure and lower organizational risks as business units invest

in technologies without seeking IT expertise prior to the acquisition decision. The United

States General Accounting Office (GAO) recognized the criticality to assess requirements

for building a DoD enterprise with secure architecture and network infrastructure to

ensure the nation‘s valuable information remains protected and available to only

individuals with the proper credentials (Rhodes & Willemssen, 2004).


23/24

8

Statement of the Problem

The general problem is organizational leaders who work for government agencies

have experienced cyberattacks occurring on federal enterprise network systems and

critical architectural infrastructures (Wilshusen, 2010a) and presently seek alternatives

for securing information (Clark & Levin, 2009). The globalization of information

communication technologies (ICTs), such as social networking, increases organizational

risks (Barr, 2010). The implementation of ICTs challenges the federal government‘s

organizational security policies to protect vital information and to maintain a secure

network enterprise (Wilshusen, 2010a).

The specific problem is organizations exclude IA professionals as a critical

element in cybersecurity, while ICTs use continually increases, resulting in

organizational risks to network vulnerabilities such as denial of service attacks, network

intrusions, and viruses (Denning & Denning, 2010). Wilshusen (2010) contended the

federal government needs better control in decreasing the number of network

vulnerabilities by diminishing the continual cyberattacks to the federal system. Assante

and Tobey (2011) argued the deficit of a cybersecurity workforce challenges government,

industry, and academia such that organizations must implement emerging technologies to

expand business processes by using innovative or alternative methods.

Min, Beyeler, Brown, Son, and Jones (2007) accentuated critical collaborative

network infrastructures rely on cyber interdependencies as business processes realign to

the web as virtual applications, organizational leaders need to identify potential risks,

expedite the development, and execution of cybersecurity strategies by IA professionals.

Agresti (2010) argued cybersecurity requires sharing as a global responsibility from all


24/24

9

organizational levels. The Federal Information Security Management Act (FISMA)

provides regulatory guidance for federal agencies to ensure data security, data protection,

and require organizations to implement policies and procedures to reduce the risk

throughout the information life cycle (Ross, Swanson, Stoneburner, Katzke, & Johnson,

2004). Organizational leaders who work in the federal government may seek to control

information security through legislative initiatives on certification and accreditation of IA

professionals (Ross, Swanson, Stoneburner, Katzke, & Johnson, 2004), information

awareness, information technology governance, and countermeasures to support

cybersecurity (Koontz, 2003).

The qualitative case study design involved exploring the critical inclusion of IA

professionals in the organization‘s strategic plan by senior leadership to advance the

integration of cybersecurity and IT governance (Wood, 2005), resulting to diminish

network vulnerabilities. The outcome from developing a cybersecurity strategy may

provide practical application to reduce the risk (Knapp & Boulton, 2006) at MARB as a

government institution. A cybersecurity strategy may pertain to private and public

organizations, especially as organizations increasingly share information and depend on

information globally in cyberspace (Powner, 2010a). Ghernouti-Hélie (2010) argued a

cybersecurity strategy should exist and be enforceable on the national level and

compatible with the international level as the evolution of technologies challenges

managerial issues such as organizational structures, legal, and human resources.

Purpose of the Study

The purpose of the qualitative exploratory case study design analyzed the critical

inclusion of IA professionals in the organization‘s strategic plan by senior leadership to